Big Privacy Ruling Says Feds Can’t Grab Data Abroad With a Warrant

An appeals court just sent the American Justice Department a clear message about its ability to reach beyond US borders to collect data with a search warrant: Keep your hands to yourself.

In Thursday’s landmark ruling, a panel of Second Circuit judges decided that Microsoft can’t be forced to turn over the email communications of a criminal suspect in a drug investigation whose emails were stored at Microsoft’s data center in Dublin, Ireland. The judge’s decision states that under the Stored Communications Act, a search warrant sent to Microsoft can’t be applied internationally. That decision overturns a New York court’s ruling and sets a new precedent that limits American prosecutors’ ability to pull foreign communications data out of data centers beyond US borders—even when the company itself is headquartered in the US.

“We conclude that Congress did not intend the [Stored Communications Act’s] warrant provisions to apply extraterritorially,” the judges wrote in their decision. “The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland.”

This is a big win for privacy. It circumscribes the US government’s power abroad. EFF attorney Nate Cardozo

This settles a long-running ambiguity in how US law should handle search warrants when data is increasingly scattered in storage centers around the world. And it could represent a new privacy assurance for foreigners under investigation by American authorities and even for Americans whose data ends up in foreign data centers. “This is a big win for privacy,” says Nate Cardozo, an attorney with the Electronic Frontier Foundation. “It circumscribes the US government’s power abroad. It reiterates the rule that US law doesn’t apply outside the US …[And] it keeps foreigners’ data secure from the US government, which has shown again and again that it’s willing to overstep reasonable bounds on its power.”

In a statement, Microsoft celebrated the ruling as a global win for civil liberties. “This decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments,” the company’s chief legal officer Brad Smith wrote in a statement. “As a global company we’ve long recognized that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country.”

The ruling comes in a case that stretches back to 2013, when Microsoft refused to comply with a warrant for a criminal suspect’s Outlook.com emails stored outside the US. Prosecutors accused Microsoft of contempt of court, but never publicly named their suspect. In just the last month, however, the Times of London reported that the suspect is 28-year-old Gary Davis, an Irish man suspected of being an administrator of the dark web drug marketplace known as the Silk Road. He’s currently fighting extradition to the US to face criminal charges.

Prosecutors and the FBI could now face new hurdles in trying to track down evidence in sprawling, international cases like the Silk Road, as highlighted in a tweet from George Washington University law professor Orin Kerr:

Want to stymie U.S. law enforcement? Store your data in the cloud fragmented over many locations outside U.S.

But Microsoft and civil liberties advocates have argued that giving American prosecutors access to foreign data would have severe privacy consequences. “It’s a very good outcome, because it avoids the privacy disaster of foreign governments making similar demands,” says Greg Nojeim, a senior counsel at the Center for Democracy and Technology. “The alternative would have prompted foreign governments to insist that their process reaches data stored inside the United States. It would have been like the Wild West.”

More on the Silk Road

The judges in the appellate case write, however, that their decision wasn’t based on those diplomatic considerations so much as the technical definition of a warrant, which under the Stored Communications Act specifically applies to domestic data. “Congress’s use of the term of art ‘warrant’,” they write, “emphasizes the domestic boundaries of the Act in these circumstances.”

One judge on the three-judge panel noted that the ruling may not strike the right balance between privacy and law enforcement. Judge Gerard Lynch wrote in a separate decision that he was merely bound by the letter of the Stored Communications Act. “I am skeptical of the conclusion that the mere location abroad of the server on which the service provider has chosen to store communications should be controlling, putting those communications beyond the reach of a purely ‘domestic’ statute,” Lynch wrote. “That may be the default position to which a court must revert in the absence of guidance from Congress, but it is not likely to constitute the ideal balance of conflicting policy goals.”

And American prosecutors still have a powerful tool to grab data abroad: Mutual Legal Assistance Treaties that allow foreign law enforcement to collect data on the US government’s behalf, or vice versa. America’s MLAT with Iceland, for example, was used to obtain the server that ran the Silk Road from a data center near Reykjavik. Today’s appellate ruling means that MLAT process remains the standard protocol for seeking criminal suspects’ data abroad, as it should be, says the EFF’s Cardozo. “This is a curb on the government’s ability to just grab whatever it wants, process be damned,” says Cardozo. “There’s a process in place to get this data, and the government has to follow it.”

Law enforcement officials—and the lower-level New York judge who originally ruled against Microsoft in its contempt case—argued that it’s simply too easy for criminals to hide their data abroad, and that MLATs are too slow, sometimes taking longer than a year to produce results. The judges in the appellate case considered those problems and dismissed them. That process may be cumbersome, they write, but the alternative method of grabbing the data with a warrant is illegal.